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Abstract — We consider a model for secrecy generation, with 
three terminals, by means of public interterminal communication, 
and examine the problem of characterizing all the rates at 
which all three terminals can generate a "secret key," and 
- simultaneously - two designated terminals can generate a 
"private key" which is effectively concealed from the remaining 
terminal; both keys are also concealed from an eavesdropper that 
observes the public communication. Inner and outer bounds for 
the "secret key-private key capacity region" are derived. Under 
a certain special condition, these bounds coincide to yield the 
(exact) secret key-private key capacity region. 

I. Introduction 

The problem of secret key generation by multiple terminals, 
based on their observations of distinct correlated sources 
followed by public communication among themselves, has 
been investigated by several authors ([6], [1], [2], [8], [9], 
[10], [4], [11], [12], [13], [14], among others). It has been 
shown that these terminals can generate common randomness 
which is kept secret from an eavesdropper that is privy to 
the public interterminal communication, and sometimes also 
to a wiretapped source which is correlated with the previous 
sources. 

In the wake of [6], [1], models for secrecy generation by 
multiple terminals have been widely studied. Of particular 
interest to us is recent work in [5], which considers a model 
consisting of an arbitrary number of terminals that respectively 
observe the distinct components of a discrete memoryless mul- 
tiple source (DMMS) followed by unrestricted public commu- 
nication among themselves; a subset of the terminals can also 
serve as "helpers" for the remaining terminals in generating 
secrecy. Three varieties of secrecy capacity - the largest rate 
of secrecy generation - are considered according to the extent 
of an eavesdropper's knowledge: secret key, private key and 
wiretap secret key capacity. A secret key (SK) generated by 
a set of "user" terminals with assistance - in the form of 
additional correlated information - from a set of helper termi- 
nals (e.g., centralized or trusted servers in a key establishment 
protocol), requires concealment from an eavesdropper with 
access to the public interterminal communication. A private 
key (PK) generated by the user terminals must be additionally 
protected from the assisting helper terminals. A wiretap secret 
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key' must satisfy the even more stringent requirement of 
being protected from a resourceful eavesdropper's access to 
a wiretapped correlated source. It should be mentioned that 
in all of the work mentioned above, the user terminals are 
required to devise only a single key, of any variety, to be used 
subsequently for secure encrypted communication. 

There are, however, situations, arising for instance in "group 
communication," in which multiple keys must be simultane- 
ously devised in a coordinated manner by different groups 
of terminals (with possible overlaps of groups); such keys 
need protection from prespecified terminals as also from an 
eavesdropper. For instance, in group communication, different 
groups of terminals (with possible overlaps of groups) must 
generate different keys for encrypted communication within 
those groups. A key devised for a group must be concealed 
from terminals outside that group as well as from an eaves- 
dropper. Such "group-wide" keys can be simultaneously de- 
vised in a coordinated manner by different groups of terminals. 
Separate keys for different groups are also needed when certain 
disabled terminals become unauthorized or unreliable so that 
the keys assigned to them, in effect, are compromised; to 
maintain security, the remaining authorized terminals must 
then switch to another set of keys which are concealed from 
the disabled terminals. In the interests of efficiency, all such 
keys must be devised at the outset of operations so as to 
avoid the need for a fresh key generation procedure after a 
disablement. 

In general, in a network with m terminals, we could have 
one (common) secret key for all the terminals, and private keys 
for every proper subset of the m terminals. These situations 
produce a rich vein of secrecy generation problems, the 
information-theoretic underpinnings of which are substantial 
enough for investigation already in the case of just three 
terminals. The first work on the simultaneous generation of 
multiple keys is [15], in which the problem of generating two 
PKs for two different groups of user terminals is investigated. 

In this paper, we consider a simple model with three 
terminals and examine the problem of characterizing all the 

'The capacity problem associated with a wiretap secret key is not fully 
resolved even in the case of two user terminals, and we do not consider it 
here. 



rates at which the following two types of keys can be generated 
simultaneously: (i) all the three terminals generate a SK, 
which is effectively concealed from an eavesdropper; and 
(ii) a designated pair of terminals generate a PK, which is 
effectively concealed from the remaining terminal as well as 
the eavesdropper. Suppose that terminals X, y and Z observe, 
respectively, the distinct components of a DMMS, i.e., inde- 
pendent and identically distributed (i.i.d.) repetitions of the 
generic random variables (rvs) X, Y, Z, respectively. The 
terminals are permitted unrestricted communication among 
themselves over a public channel, and all the transmissions are 
observed by all the terminals. An eavesdropper has access to 
this public communication too, but gathers no additional (wire- 
tapped) side-information; also, the eavesdropper is passive, 
i.e., unable to corrupt the transmissions. Terminals X, y and 
Z generate a SK, which is concealed from the eavesdropper 
with access to the public communication among the terminals. 
Also, terminals X and 3^ generate a PK, with the possible help 
of terminal Z, which is concealed from the helper terminal Z 
and from the eavesdropper. The set of all rate pairs at which 
such (SK, PK) pairs can be generated is called (SK, PK)- 
capacity region. 

Our main technical results are inner and outer bounds for 
the (SK, PK)-capacity region. Under a special condition, these 
bounds coincide to yield the (exact) capacity region. 

II. Statement of Results 

Consider a DMMS with three components corresponding 
to generic rvs X, Y, Z, with finite alphabets X, y, Z. 

Let X" = (Xi,---,x„), r" = (yi,---,y„), ^" = 

{Zi, • • • , Zn) be n i.i.d. repetitions of the rvs X, Y, Z. The 
terminals X, y, Z ^ respectively observe the components 
X", y", Z" of the DMMS where n denotes 

the observation length. The terminals can communicate with 
each other through broadcasts over a noiseless public channel, 
possibly interactively in many rounds. Following [5], we 
assume, without loss of generality, that these transmissions 
occur in consecutive time slots in r rounds; the communication 
is depicted by 3r rvs Fi,--- ,F^r, where Ft denotes the 
transmission in time slot t, 1 < i < 3r, by a terminal assigned 
an index i — t mod 3, 1 < i < 3, with terminals X, y, Z 
corresponding to indices 1,2, 3, respectively. In general. Ft is 
allowed to be any function, defined in terms of a mapping ft, 
of the observations at the terminal with index i, i — t mod 3, 
and of the previous transmissions -^[1.4-1] = {Fi, ■ ■ ■ , Ft_i); 
thus, for instance, Fi = F2 = f2iY'\Fi), F3 = 

f3{Z^\ F[i 2]), and so on. We do not permit any randomization 
at the terminals; in particular, /i,--- , /sr are deterministic 
mappings. Let F — (Fi, • • • , ^3^) denote collectively all the 
transmissions in the 3r time slots. 

Given e > and the rvs U, V, we say that U is e- 
recovemble from V if Pr{[/ 7^ HY)} < £ for some function 
f{V) of V (cf. [5]). 

^The use of the same symbol for a terminal as well as for the alphabet of 
its observations should not lead to any confusion. 



The rvs Kg, K-p, which are functions of (X",r",Z"), 
with finite ranges ICg and IC-p, respectively, represent an e-(SK, 
PK) pair, where the SK is for all the terminals and the PK is 
for terminals X, y with privacy from terminal Z, achievable 
with communication F, if: 

• Ks is £-recoverable from each of (F,X"), (F,y"), 
(F,Z"); 

• K-p is e-recoverable from each of (F,X"), (F,y"); 

• Kg satisfies the secrecy condition and the uniformity 
condition 

-I{Ks AF)<e; (1) 
n 

-H{Ks) > -\og\ICs\-e; 
n n 

and 

• K-p satisfies the secrecy condition and the uniformity 
condition 

-I(Kp A F, Z") < e; (2) 

n 

-H{Kp) > - \og\ICp \ -e. 
n n 

The conditions above thus mean that terminals X, y and 
Z generate a nearly uniformly distributed SK Kg which 
is concealed from an eavesdropper that observes the public 
communication F. Simultaneously, based on the same public 
communication, terminals X and y generate a PK Kp with 
the terminal Z acting as helper (e.g., a "third-party" in a key 
establishment protocol) by providing X, y with additional 
correlated information; this private key is nearly uniformly 
distributed, and is concealed from an eavesdropper that ob- 
serves the public communication F as well as from the helper 
Z (hence, "private"). Note that the previous conditions readily 
imply that Kg and Kp are "nearly" statistically independent. 

Definition 1: A pair of nonnegative numbers {Rs, Rv) 
constitute an achievable (SK, PK)-rate pair if for every e > 
and sufficiently large n, an e-(SK, PK) pair {Ks,Kp) is 
achievable with suitable communication (with the number of 
rounds possibly depending on n), such that —H [Ks) > 
Rs - e, (Kp) > Rp-e. The set of all achievable (SK, 
PK)-rate pairs is the (SK, PK)-capacity region, denoted by 
Csp- 
Remarks: 

1 . Maurer [7] pointed out that the secrecy conditions Q and 
(|2j were inadequate for cryptographic purposes, and should 
be strengthened by omission of the factor -. While all our 
achievability results below are presented in the "weak sense," 
they can be established in the stronger sense of [7] by using 
the techniques developed in [10]. 

2. The (SK, PK)-capacity region Csp is a closed convex 
set. Closedness is obvious from the definition, while convexity 
follows from a time-sharing argument (cf. [3]). 

3. If Kp is set equal to a constant in the definition above, 
i.e., only a (single) e-SK is generated by terminals X, y and 
Z, then the entropy rate of such a secret key is called an 



achievable SK-rate, and the largest achievable SK-rate is the 
SK-capacity. It is known [5] that the SK-capacity is equal to 

i I{XhY,Z),I{Y SX,Z),I{ZhX,Y), \ 
"^^^X \ [H{X) + H{Y)+H{Z)-H{X,Y,Z)] J' 

4. If Ks is set equal to a constant in the definition above, 
i.e., only a (single) e-PK is generated by terminals X and y 
with terminal Z serving as a helper terminal, then the entropy 
rate of such a private key is called an achievable PK-rate, and 
the largest achievable PK-rate is the PK-capacity. It is known 
(cf. [1], [4]) that the PK-capacity is equal to 



I{X hY\Z). 



(4) 



Example 1 : Let X and Y be independent rvs, each uniformly 
distributed on {0,1}. Let Z = X (SY, where © denotes 
addition modulo 2. 

It is easily seen from (|3j that the SK-capacity for the terminals 
X, y, Z equals i, and from (|4} that the PK-capacity for 
the terminals X, y, with privacy from Z, equals I. We 
claim in this elementary example that 1 bit of perfect SK 
(i.e., e-SK with e = 0) is achievable for all the terminals, 
with observation length n — 2, using the following scheme. 
Terminals X, y, Z, with respective observations {Xi,X2), 
(Yi, I2), (-^1, Z2), transmit Xi, Y2 and Zi Z2, respectively. 
Then each terminal can perfectly recover all the observations 
of the other terminals. The secret key Kg is set to be X2 (or 
Yi or Zx or Z2). It can be shown that 



and 



I{Ks A F) = I{X2 ^Xl,Y2,Zl® Z2) = 0, 



H{Ks) = I. 



On the other hand, 1 bit of perfect PK is achievable for 
terminals X and y, with privacy from Z, for observation 
length n ~ 1. When terminal Z transmits F = Zi, terminal 
X can perfectly recover Yi, which is set to be K-p. It is clear 
that 

I{K-p A F, Z") = 0, 



and 



H{K-p) = 1. 



Using a time-sharing argument, every (SK, PK)-rate pair 
{Rs,Rv) satisfying 



2Rs + Rv <1 



(5) 



is perfectly achievable. The results in this paper (cf. Theorem 
1 below) will show that the secret key-private key capacity 
region Csp for this example cannot be larger than the region 
in (|5}, so that (|5} characterizes the capacity region Csp- 

For notational simplicity, we set 

A 



A = I{Z AX, Y), 



A 



B = min {I{X A Y, Z), I{Y A X, Z)] , 
C ^ l[H{X) + H{Y) + H{Z) - H{X, Y, Z)], 



Thus, the SK-capacity (|3} for the terminals X, y, Z is equal 
to min{A, B, C}. 

Theorem 1 {Outer bound for Csp)'- Let {Rs,Rv) be an 
achievable (SK, PK)-rate pair. Then 



Rs < A, 
R-P <I{X AY\Z), 
Rs + R-p < B, 
2Rs + Rv < 2C. 



(6) 
(7) 
(8) 
(9) 



{Rs,Rv) 



R-p 



Remark: The bounds (|6}, on the individual largest achiev- 
able SK- and PK-rates are obvious from (|3} and (|4}. Also, 
while (13 implies 

Rs < B, Rs < C, 
note that the conditions (jS), above are more stringent than 

Theorem 2 (Inner bound for Csp)' The (SK, PK)-capacity 
region Csp is inner-bounded by the region 

min{A,B,C}~min{I(XAZ),I(Y/\Z)} 
I{X/\Y\Z) 

+Rs < min{A,B,C}, 
Rp < I{X AY\Z) 

(10) 

Remark: The proof of Theorem 2 is based on the fol- 
lowing idea: a modified version of the random binning 
technique developed in [5] is first used to generate the 
needed "common randomness." A SK and a PK, of rate pair 
(min {I{X A Z),I(Y A Z)} , I{X A Y\Z)) are then extracted 
from this common randomness, by a means from [5]. An 
application of the time-sharing technique then leads to the 
achievability of the region in dlOt . Although interterminal 
communication between X, y, Z is permitted, the region in 
dlOt is shown to be achieved by a single autonomous trans- 
mission from each terminal based on its own local observation 
of its component of the DMMS. 

Under a certain condition, the outer bound in Theorem 1 
coincides with the inner bound in Theorem 2, which provides 
a characterization of the (SK, PK)-capacity region Csp- 

Theorem 3: If min{^, i3,C} = B, then Csp equals the 
set of pairs {Rs,Rp) satisfying and (|8}. 

Example 2: Let X, Y and Z be three rvs, each uniformly 
distributed on {0, 1}, and satisfying the Markov condition Y — 
o— X — o— Z. Further, suppose that 

1 — p p 
Pxy{x, y) = -^6x.v ^x,v), 

Pxz{x, z) = ^—^6^,2 + |(1 - (Sa;,^), 

where < q < p < ^ and 



Jx,y 



0, if X 7^ y, 

1, if X = y. 



hb(P+q-2pq)-hb(p) 




l-h^(p+q-2pq) 

Fig. 1. Csp for Example 2. 



(min {I{X ^Z),I{Y hZ)} , I{X A Y\Z)) 



and 



(max{/(X A Z), I{Y A Z)}, B - max{/(X A Z), /(F A Z)}) 

(11) 

are all achievable. While the first three (SK, PK)-rate pairs 
are known to be achievable, it is unclear if the achievability 
of (SK, PK)-rate pair ([TT} holds. 



I(X / YIZ) 
-maxIKX ' Z), !(¥ /■ Z)| 



R„=I(XAYIZ) 



Straightforward calculations show that 

A = I{Z AX,Y) = 1- h{q), 
B = min{/(X A Y, Z), I{Y A X, Z)} = 1 - h{p), 

and 

C^^[H{X)+H{Y)+H{Z)-H{X,Y,Z)] = i_Me1±M, 

where h{p) = — plogjp — (1 — p)log2(l — p) is the binary 
entropy function. Since < q < p < ^, we have that 
min{A,B,C} = B. It follows from Theorem 3 that Csp is 
the set of pairs (RsjR-p) satisfying 

Rv < h{p + q-2pq)-h{p), 
Rs + Rv < 1 - Hp). 
This region is depicted in Fig. 1. 

Remarks: Although we have shown the tightness of the outer 
bound for Csp under the condition mm{A,B,C} = B, it 
remains open as to whether this outer bound is tight in general. 
To prove its tightness, it would suffice to show the tightness 
of the outer bound under the condition minjA, B, C} = 
min{j4, C}. Since the case A < B < C can be easily seen 
to be impossible, two remaining cases are relevant, and these 
are unresolved to date. 

Case 1: mm{A,B,C} ~ C: Under this condition, the 
constraint (|6jl is implied by the constraint (|9}. Thus, the 
outer bound for the (SK, PK)-capacity region is given by the 
constraints 0, ^ and (|9jl, and is depicted in Fig. 2. By a time- 
sharing argument, to show the achievability of this region, it 
suffices to show that (SK, PK)-rate pairs {0,I{X A Y\Z)), 
(C,0), 




minlKXAZ). I(Ya Z)| 



max|!(XA Z), 1(Y A Z)} 



1(Xa ZH-1(Y a Z) 



Fig. 2. Inner and outer bounds for Csp for Case 1. 

' Case 2: A < C < B: The outer bound for the (SK, PK)- 
capacity region under this condition is depicted in Fig. 3. To 
show that this region is achievable, it suffices to show the 
achievability of (SK, PK)-rate pairs (0,/(X A Y\Z)), {A,0), 

(min {I{X A Z), I{Y A Z)} , I{X A Y\Z)) , 



(max{/(X AZ),I{YAZ)},B- max{I{X AZ), I{Y AZ)}), 

(12) 

and 

{I{Z AX,Y),I{X AY) - I{Z AX,Y)). (13) 

While the achievability of the first three (SK, PK)-rate pairs 
can be shown, it remains unclear whether (SK, PK)-rate pairs 
O and O are achievable. 

in. Discussion 

Inner and outer bounds are derived for the (SK, PK)- 
capacity region for a model for secrecy generation with 
three terminals, each of which observes a distinct component 
of a discrete memoryless multiple source, with unrestricted 
public communication allowed among these terminals. Under 
a certain condition, these bounds coincide to yield the (SK, 
PK)-capacity region. 

An obvious generalization of our model above is one in 
which a secret key is generated by all three terminals, and - 
simultaneously - all three pairs of terminals generate distinct 
private keys, each of which is effectively concealed from 
the remaining terminal. Entropy rates of these simultaneously 
generated secret key and private keys constitute a (SK, 3- 
PK)-rate quadruple. The set of all achievable (SK, 3-PK)-rate 
quadruples is called (SK, 3-PK)-capacity region. Following 
arguments similar to those used in the proof of Theorem 1, 
we can also obtain an outer bound for this (SK, 3-PK)-capacity 



I(X A YIZ) 
B-maxlI(XAZ).I(YA Z)) 



I(X A Y)-I(Z A X,Y) 




iiim{I(XA Z).I(Ya Z)} 



mflx{I(XA Z), I(Ya Z)1 



I(X AZHICY A Z) 
2 



Fig. 3. Inner and outer bounds for Cs p for Case 2. 



region. Achievability proofs leading to inner bounds for this 
(SK, 3-PK)-capacity region are under investigation. 
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